Comment by blueflow
2 days ago
This can be done at login time without the user noticing, as you have the plaintext password for a moment.
2 days ago
This can be done at login time without the user noticing, as you have the plaintext password for a moment.
Yeah, this is the best practice. We offer that in our product.
But it's possible that you could follow the best practice and still force a reset. This could be because:
* the customer or provider doesn't want to wait for everyone to log in
* they've waited for N months and now there is a block of users who have not logged in yet and they think it is worth the user annoyance to just force them all to reset their password